KaliTut

Kali Linux tutorial and Linux system tips

How to list NetBIOS shares using the NBTScan and Nmap Script Engine

Last Updated on by Leave a Comment

What is netbios? NetBIOS is a service that provides network connectivity and is often used to join a domain and legacy applications. This is a rather old technology, but it is still used in some software environments. And since this is an unprotected protocol, quite often it can be the starting point for an attack on a network. A good start would be to scan NetBIOS shares using the NBTScan and Nmap Script Engine.

What is netbios?

To accomplish this task, we will use our target machine as Metasploitable 2– a virtual machine with vulnerabilities intentionally created in it. We will attack it with Kali Linux, a distribution for hackers and pentesters.

What is netbios?

NetBIOS literally means “Basic Network Input / Output System”. It is a service that allows computers to communicate with each other over a network. However, NetBIOS is not a network protocol, but an API. It works on top of TCP / IP protocols using the NBT protocol, which allows it to work in modern networks.

NetBIOS provides two basic methods of communication. The datagram service allows you to communicate over a network without establishing a connection, which is ideal for situations where fast data transfer is important, for example, when generating errors. Session service, on the other hand, allows two computers to establish a connection to provide more reliable communication. NetBIOS also provides name services that deal with name resolution and network registration.

The main method of exploiting NetBIOS hackers is poisoning attacks. Their essence lies in the fact that the attacker being in the network, disguised as another machine in order to control and redirect traffic. At this stage, the hacker can also obtain the hashed user credentials in order to subsequently crack them.

How to use nbtscan

NBTScan is a command line tool used to scan networks for NetBIOS shared resources and name information. It can work in both Unix and Windows and is included in the standard Kali Linux distribution by default.

The first thing we can do is print out a certificate that will give us an idea of ​​all the uses for it and a few examples for scanning networks. Just type in the terminal nbtscan.

nbtscan

NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko.
This is a free software and it comes with absolutely no warranty.
You can use, distribute and modify it under terms of GNU GPL.

Usage:
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|()
 -v  verbose output. Print all names received
   from each host
 -d  dump packets. Print whole packet contents.
 -e  Format output in /etc/hosts format.
 -l  Format output in lmhosts format.
   Cannot be used with -v, -s or -h options.
 -t timeout wait timeout milliseconds for response.
   Default 1000.
 -b bandwidth Output throttling. Slow down output
   so that it uses no more that bandwidth bps.
   Useful on slow links, so that ougoing queries
   don't get dropped.
 -r  use local port 137 for scans. Win95 boxes
   respond to this only.
   You need to be root to use this option on Unix.
 -q  Suppress banners and error messages,
 -s separator Script-friendly output. Don't print
   column and record headers, separate fields with separator.
 -h  Print human-readable names for services.
   Can only be used with -v option.
 -m retransmits Number of retransmits. Default 0.
 -f filename Take IP addresses to scan from file filename.
   -f - makes nbtscan take IP addresses from stdin.
  what to scan. Can either be single IP
   like 192.168.1.1 or
   range of addresses in one of two forms:
   xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx.
Examples:
 nbtscan -r 192.168.1.0/24
  Scans the whole C-class network.
 nbtscan 192.168.1.25-137
  Scans a range from 192.168.1.25 to 192.168.1.137
 nbtscan -v -s : 192.168.1.0/24
  Scans C-class network. Prints results in script-friendly
  format using colon as field separator.
  Produces output like that:
  192.168.0.1:NT_SERVER:00U
  192.168.0.1:MY_DOMAIN:00G
  192.168.0.1:ADMINISTRATOR:03U
  192.168.0.2:OTHER_BOX:00U
  ...
 nbtscan -f iplist
  Scans IP addresses specified in file iplist.

The simplest (and most basic) way to launch this great tool is to give it a range of IP addresses. In our case, there is only one computer on the network, so we will give its IP address as an example.

nbtscan 172.16.1.102

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
172.16.1.102     METASPLOITABLE     METASPLOITABLE   00:00:00:00:00:00

Here we see the IP address, the display name of the NetBIOS, the server (if any), the user and the MAC address of the target. Note that machines running Samba sometimes return zero as a MAC address in response to such a request.
We can get a little more information if we set the verbose -v flag.

nbtscan 172.16.1.102 -v

Doing NBT name scan for addresses from 172.16.1.102

NetBIOS Name Table for Host 172.16.1.102:

Incomplete packet, 335 bytes long.
Name             Service          Type
----------------------------------------
METASPLOITABLE   <00>             UNIQUE
METASPLOITABLE   <03>             UNIQUE
METASPLOITABLE   <20>             UNIQUE
METASPLOITABLE   <00>             UNIQUE
METASPLOITABLE   <03>             UNIQUE
METASPLOITABLE   <20>             UNIQUE
__MSBROWSE__  <01>              GROUP
WORKGROUP        <00>              GROUP
WORKGROUP        <1d>             UNIQUE
WORKGROUP        <1e>              GROUP
WORKGROUP        <00>              GROUP
WORKGROUP        <1d>             UNIQUE
WORKGROUP        <1e>              GROUP

Adapter address: 00:00:00:00:00:00
----------------------------------------

In this case, we see some services and an indication of their type. This jumble brings us to the next use case, which will output services in a readable form. To do this, use the -h flag with the -v flag.

nbtscan 172.16.1.102 -vh

Doing NBT name scan for addresses from 172.16.1.102

NetBIOS Name Table for Host 172.16.1.102:

Incomplete packet, 335 bytes long.
Name             Service          Type
----------------------------------------
METASPLOITABLE   Workstation Service
METASPLOITABLE   Messenger Service
METASPLOITABLE   File Server Service
METASPLOITABLE   Workstation Service
METASPLOITABLE   Messenger Service
METASPLOITABLE   File Server Service
__MSBROWSE__  Master Browser
WORKGROUP        Domain Name
WORKGROUP        Master Browser
WORKGROUP        Browser Service Elections
WORKGROUP        Domain Name
WORKGROUP        Master Browser
WORKGROUP        Browser Service Elections

Adapter address: 00:00:00:00:00:00
----------------------------------------

Now we see a bit more information that may be useful to us. We can also set the -d flag to dump (save) the contents of the entire package.

nbtscan 172.16.1.102 -d

Doing NBT name scan for addresses from 172.16.1.102

Packet dump for Host 172.16.1.102:

Incomplete packet, 335 bytes long.
Transaction ID: 0x00a0 (160)
Flags: 0x8400 (33792)
Question count: 0x0000 (0)
Answer count: 0x0001 (1)
Name service count: 0x0000 (0)
Additional record count: 0x0000 (0)
Question name:  CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Question type: 0x0021 (33)
Question class: 0x0001 (1)
Time to live: 0x00000000 (0)
Rdata length: 0x0119 (281)
Number of names: 0x0d (13)
Names received:
METASPLOITABLE    Service: 0x00 Flags: 0x0004
METASPLOITABLE    Service: 0x03 Flags: 0x0004
METASPLOITABLE    Service: 0x20 Flags: 0x0004
METASPLOITABLE    Service: 0x00 Flags: 0x0004
METASPLOITABLE    Service: 0x03 Flags: 0x0004
METASPLOITABLE    Service: 0x20 Flags: 0x0004
__MSBROWSE__   Service: 0x01 Flags: 0x0084
WORKGROUP         Service: 0x00 Flags: 0x0084
WORKGROUP         Service: 0x1d Flags: 0x0004
WORKGROUP         Service: 0x1e Flags: 0x0084
WORKGROUP         Service: 0x00 Flags: 0x0084
WORKGROUP         Service: 0x1d Flags: 0x0004
WORKGROUP         Service: 0x1e Flags: 0x0084

...

This command gives us the packet data that was used in this request. Note that this parameter cannot be used with the -v or -h options.
If you want to scan a list of IP addresses that are written in a file, you can use the -f flag to specify such a file as input and read these IP addresses from it. In our case, there is only one computer on the network, so in the course of our scanning, we only see it alone.

nbtscan -f addresses.txt

Doing NBT name scan for addresses from addresses.txt

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
172.16.1.102     METASPLOITABLE     METASPLOITABLE   00:00:00:00:00:00

Conversely, if you want to save the results of any scan, you just need to add the name of the file to which you want to write this data to the end of the command.

nbtscan 172.16.1.102 > scan.txt

Scan Using Nmap Scripting Engine

Nmap, as part of the Nmap scripting engine, has one very handy little script that we can also use to accurately detect NetBIOS shared resources. This method has a slight advantage over the previous one – it can be run with other NSE scripts (Nmap Scripting Engine), which ultimately saves time when displaying many different things on the network.
We will run Nmap in the usual way, and the nbstat script will exit at the end. Here we use the -sV option to check ports, running services and their versions, as well as the -v flag for verbose output. Specify the script that you want to use, and we are ready to go.

nmap -sV 172.16.1.102 --script nbstat.nse -v

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 14:12 CST
NSE: Loaded 44 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating NSE at 14:12
Completed NSE at 14:12, 0.00s elapsed
Initiating ARP Ping Scan at 14:12
Scanning 172.16.1.102 [1 port]
Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:12
Completed Parallel DNS resolution of 1 host. at 14:12, 13.00s elapsed
Initiating SYN Stealth Scan at 14:12
Scanning 172.16.1.102 [1000 ports]

...

Host script results:
| nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC:  (unknown)
| Names:
|   METASPLOITABLE<00>   Flags: 
|   METASPLOITABLE<03>   Flags: 
|   METASPLOITABLE<20>   Flags: 
|   \x01\x02__MSBROWSE__\x02<01>  Flags: 
|   WORKGROUP<00>        Flags: 
|   WORKGROUP<1d>        Flags: 
|_  WORKGROUP<1e>        Flags:

Nmap starts and starts the usual scan, and then towards the end we finally see the results of the script. This is similar to the scan results that we performed earlier, but in fact it never hurts to know that there are different ways to perform the same task.

How to prevent scanning of shared NetBIOS resources

Fortunately for all administrators, there is a fairly simple solution to protect against unauthorized scanning of NetBIOS shared resources, namely, simply disabling NetBIOS itself. There are situations when disabling it can lead to malfunctions in the system, for example, when some obsolete applications completely depend on it, but in most cases, instead of these obsolete applications, there are already more advanced solutions and disabling NetBIOS will not harm. If you absolutely need to have NetBIOS, then beware of using default names. In some versions of Windows, C $ or ADMIN $ are well-known names and should be avoided if possible.
Conclusion In this lesson we learned about the NetBIOS service and how it can be used to attack. Using NBTScan, a simple console tool, we scanned and listed shared resources, and then figured out how to use the Nmap script for the same purpose. NetBIOS and obsolete technology maybe, but it is still found in corporate environments. And often, after exploration, its operation can be a good starting point for a start, so it’s helpful to know how it can be identified.

Leave a Reply

Your email address will not be published. Required fields are marked *